ConductorOne docs

Set up an Azure Infrastructure connector

ConductorOne provides identity governance and just-in-time provisioning for Microsoft Azure Infrastructure. Integrate your Azure Infrastructure instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

Resource	Sync	Provision
Accounts	✅
Groups	✅
Roles	✅	✅
Tenants	✅
Subscriptions	✅
Enterprise applications	✅
Managed identities	✅
Resource groups	✅	✅

Available hosting methods

Choose the hosting method that best suits your needs:

Method	Availability	Notes
Cloud-hosted	✅	A built-in, no-code connector hosted by ConductorOne.
Self-hosted	✅	The Azure Infrastructure connector, hosted and run in your own environment.

Gather Azure Infrastructure credentials

Each setup method requires you to pass in credentials generated in Azure Infrastructure. Gather these credentials before you move on.

A user with at least the Cloud Application Administrator permission in Azure must perform this task.

Create a new application

In Microsoft Entra admin center, navigate to App registrations.
Click New registration.
Give the application a name, such as “ConductorOne,” and select the relevant supported account type. You do not need to set a redirect URI.
Click Register.
The new app is created. Carefully copy and save the Application (client) ID and the Directory (tenant) ID shown on the application summary page.
Next, we’ll generate a client secret for this app. Click Certificates & secrets.
Click + New client secret.
Give the client secret a description and set its expiration.
Click Add.
The client secret is generated. Carefully copy and save the Secret Value.

Give the new application API permissions

Click API permissions.
Click + Add permissions > Microsoft Graph.

Click Application permissions. Select each permission in the relevant set below:

To sync access data:

Application.Read.All
AppRoleAssignment.ReadWrite.All # Microsoft does not make a read-only AppRoleAssignment permission available 
AuditLog.Read.All
Directory.Read.All
Group.Read.All
GroupMember.Read.All
MailboxSettings.Read
RoleAssignmentSchedule.Read.Directory
RoleEligibilitySchedule.Read.Directory
RoleManagement.Read.All
RoleManagement.Read.Directory
RoleManagementAlert.Read.Directory
RoleManagementPolicy.Read.AzureADGroup
RoleManagementPolicy.Read.Directory
ServicePrincipalEndpoint.Read.All
User.Read.All
User.ReadBasic.All

To sync access data and provision access:

Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
AuditLog.Read.All
Directory.ReadWrite.All
Group.ReadWrite.All
GroupMember.ReadWrite.All
MailboxSettings.ReadWrite
RoleAssignmentSchedule.Read.Directory
RoleEligibilitySchedule.Read.Directory
RoleManagement.Read.All
RoleManagement.Read.Directory
RoleManagementAlert.Read.Directory
RoleManagementPolicy.Read.AzureADGroup
RoleManagementPolicy.Read.Directory
ServicePrincipalEndpoint.ReadWrite.All
User.ReadWrite.All
User.ReadBasic.All

That’s it! Next, move on to the instructions for your chosen setup method.

Set up an Azure Infrastructure cloud-hosted connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Azure Infrastructure credentials generated by following the instructions above

In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for Azure Infrastructure and click Add.
Don’t see the Azure Infrastructure connector? Reach out to support@conductorone.com to add Azure Infrastructure to your Connectors page.

Choose how to set up the new Azure Infrastructure connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Paste the client ID into the Client ID field.
Paste the client secret into the Client secret field.
Paste the tenant ID into the Tenant ID field.
Optional. Check the box if you want the connector to attempt to get Mailbox settings for users to determine user purpose. (This is helpful if you need to sort out non-human identities such as conference rooms or devices.)
Optional. Check the box if you want to Skip syncing Active Directory Server groups.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Azure Infrastructure connector is now pulling access data into ConductorOne.

Set up an Azure Infrastructure self-hosted connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Azure Infrastructure credentials generated by following the instructions above

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Why use Kubernetes? Kubernetes provides automated deployment, scaling, and management of your connectors. It ensures high availability and reliable operation of your connector services.

Step 1: Configure the Azure Infrastructure connector

In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new Azure Infrastructure connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Azure Infrastructure connector deployment:

Secrets configuration

# baton-azure-infrastructure-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-azure-infrastructure-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Azure Infrastructure credentials
  BATON_AZURE_CLIENT_ID: <Azure application (client) ID>
  BATON_AZURE_CLIENT_SECRET: <Azure application client secret>
  BATON_AZURE_TENANT_ID: <Azure application directory (tenant) ID>

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

  # Optional: include if you want the connector to attempt to get mailbox settings for users to determine user purpose
  BATON_MAILBOXSETTINGS: true

  # Optional: include if you want to skip syncing Active Directory Server groups
  BATON_SKIP_AD_GROUPS: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-azure-infrastructure.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-azure-infrastructure
  labels:
    app: baton-azure-infrastructure
spec:
  selector:
    matchLabels:
      app: baton-azure-infrastructure
  template:
    metadata:
      labels:
        app: baton-azure-infrastructure
        baton: true
        baton-app: azure-infrastructure
    spec:
      containers:
      - name: baton-azure-infrastructure
        image: ghcr.io/conductorone/baton-azure-infrastructure:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-azure-infrastructure-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired):
```
kubectl create namespace conductorone
```

Apply the secret configuration:

kubectl -n conductorone apply -f baton-azure-infrastructure-secrets.yaml

Apply the deployment:

kubectl -n conductorone apply -f baton-azure-infrastructure.yaml

Step 4: Verify the deployment

Check that the deployment is running:
```
kubectl -n conductorone get pods
```

View the connector logs:

kubectl -n conductorone logs -l app=baton-${baton-azure-infrastructure}

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Azure Infrastructure connector to. Azure Infrastructure data should be found on the Entitlements and Accounts tabs.

That’s it! Your Azure Infrastructure connector is now pulling access data into ConductorOne.